As of r1841219 I think the tlsv1.3-for-2.4.x is ready for merging... A BIG caveat remains around Post-Handshake Auth. With the current Perl stack (including whatever adjustments for OpenSSL 1.1.1 already required) the failures I get with the test suite and that branch are significant, because PHA is NOT enabled by default client-side and a bunch of the tests rely on that.
I don't understand the logic behind disabling PHA by default, and I think it's a serious error, but I am not optimistic that the decision will be reversed. So with PHA disabled client side I get: t/security/CVE-2009-3555.t (Wstat: 0 Tests: 4 Failed: 2) Failed tests: 3-4 t/ssl/basicauth.t (Wstat: 0 Tests: 4 Failed: 2) Failed tests: 2-3 t/ssl/env.t (Wstat: 0 Tests: 30 Failed: 15) Failed tests: 16-30 t/ssl/extlookup.t (Wstat: 0 Tests: 4 Failed: 4) Failed tests: 1-4 t/ssl/fakeauth.t (Wstat: 0 Tests: 3 Failed: 2) Failed tests: 2-3 t/ssl/ocsp.t (Wstat: 0 Tests: 3 Failed: 1) Failed test: 3 t/ssl/require.t (Wstat: 0 Tests: 10 Failed: 3) Failed tests: 2, 5, 9 t/ssl/varlookup.t (Wstat: 0 Tests: 83 Failed: 83) Failed tests: 1-83 t/ssl/verify.t (Wstat: 0 Tests: 3 Failed: 1) Failed test: 2 Hacking the Perl stack to enable PHA by default, PoC patches here - http://people.apache.org/~jorton/tlsv13-pha-snafu/ - I get: t/security/CVE-2009-3555.t (Wstat: 0 Tests: 4 Failed: 2) Failed tests: 3-4 t/ssl/ocsp.t (Wstat: 0 Tests: 3 Failed: 1) Failed test: 3 which I believe are both false +ves. I'll continue working these remaining failures. Regards, Joe
